The Schnorr protocol is a 3-steps proof of knowledge of a discrete logarithm, whose interactive version works as follows.

Let $p$ and $q$ be two public primes, such that $q \mid (p-1)$, and let $G$ be a cyclic subgroup of $\mathbb Z^\times_p$ of order $q$ (i.e. a Schnorr group) with generator $g$. The prover $P$ wants to prove knowledge of $x=\log_g(y)$ to a verifier $V$, by the following steps:

What is the exact reason why the response $s$ of the prover in step 3 is that one, and not another one? For example, couldn't it also work if the response were, for example, $s=r+c+x$ or $s=rc+x$, and then the verifier had to check if $g^s \equiv t g^c y$ or $g^s \equiv t^c y$, respectively?

2 Answers
2

As noted by Perseids in a comment to this answer, the formula $s = r + c + x$ would allow an adversary (who has completed the protocol once in the role as verifier with $P$ and already got one valid triplet $t_1,c_1,s_1$) to compute responses to any arbitrary challenge, simply using the formulas $t_2 = t_1$, $s_2 = s1 + c_2 - c_1$.

Your other alternative $s = rc + x$ would however work, given a few additional restrictions:

$c \neq 0$. Since we are working in a prime order subgroup, this implies the existence of a multiplicative inverse $c^{-1}$ modulo the group order $q$. This is not a significant restriction to the original protocol, since $c = 0$ would entail the response $s = r + 0x = r$, which would not prove possession of $x$ and hence be pointless. With the alternative formula, however, $c = 0$ would entail $s = x + 0r = x$, which would leak the private key.

$t$ and $y$ belong to the same prime order subgroup as $g$. This is implicit from the protocol specification, but it might be stressed that $V$ is able to verify that this is indeed the case, by checking that $p, q$ are prime numbers such that $q|p-1$, and that $g^q = t^q = y^q = 1 \bmod p$.

We define $r = log_g(t) \bmod p$ and $x = log_g(y) \bmod p$. The attacker is not required to know the exact value $r$ and $x$ for the following math to work out.

We also need a security claim, in order to define exactly what it is we assume about the original protocol and want to prove with respect to the alternative one. The most appropriate claim would be that an adversary $A$, who does not know $x$ and does not have real-time oracle access to the authentic prover $P$, has only a negligible chance of successfully playing out the protocol with a honest verifier $V$.

It might be noted that an adversary $A$ with real-time oracle access to the authentic prover $P$, would be trivially able to successfully play out the protocol with any honest verifier $V$. Hence, in order not to prove something we already know, we have to assume this is not the case.

Suppose an adversary $A$ is able to impersonate $P$ and provide false proofs of $x$ using the alternative formula. Since $sc^{-1} = (rc + x)c^{-1} = r + xc^{-1}$, such an adversary would also be able to provide false proofs of $x$ using the original formula. Since the latter is impossible, so is the former.

A proof might be outlined as follows:

Let $A$ be an adversary who is able to successfully play out the protocol based on the alternative formula $s = rc + x$, given the restrictions listed above. Let $V$ be a (honest) verifier who expects the $s$ value to comply with the original formula, subject to the same restrictions (in particular that $c \neq 0$). Let $A'$ denote $A$ taking the role of a prover of the $x$ using the original formula.

Now, all we need to do is to add a few steps where $A'$ plays out the protocol steps with $A$ (i.e. himself):

$V$ asks $A'$ to commit

$A'$ asks $A$ to commit and gets a value $t$, such that $t^q = 1 \bmod p$, which $A'$ forwards to $V$.

$V$ replies with a challenge $c$ chosen at random from $\mathbb Z_q^*$

If $V$ doesn't accept $s'$ as a proof of $x$ given challenge $c$ in step 4, neither would a verifier who expected a response using the alternative formula accept the response $s$ to the challenge $c^{-1}$ as a proof of $x$.

So what does this prove with respect to the security claim? Firstly, assume that the original protocol meets the security claim, but the alternative protocol doesn't. If the alternative protocol doesn't meet the security claim, it means that the adversary $A$ has a non-negligible probability of successfully playing out the above protocol, but since we have just proved that this would mean that $A'$ also would have the same probability of successfully playing out the protocol, this would contradict our original assumption (that the original protocol meets the security claim), and hence it is not possible that the alternative protocol doesn't.

The idea is correct, but you cannot argue using the structure of $s$, as it possibly comes from an attacker. But what you can do is plug it into the verification (assuming $c\neq 0$): $g^s = t^c y\Leftrightarrow (g^s)^{(c^{-1})}=(t^c y)^{(c^{-1})}\Leftrightarrow g^{s'} = t y^{(c^{-1})}$ for $s'=s\cdot c^{-1}$. Now you can use the classic proof that $P$ knows $x$ with high probability. Also, as multiplying with $c^{-1}$ is bijective the simulator needed for the zero knowledge property can be also be used with your substitution $s\leftrightarrow sc^{-1}$.
–
PerseidsAug 15 '13 at 17:14

@Perseids: Your comment is a bit unclear. It doesn't matter if $A$ actually knows $r$ and $x$ or not. The logical requirement such an adversary can be turned into an adversary $A'$ that impersonates $P$ using the original formula, is that the challenge $c$ provided by $V$ is invertible. The law of distributivity under addition and multiplication works regardless if you actually know the value of the terms.
–
Henrick HellströmAug 15 '13 at 17:26

You do not need to know the values to perform the calculation, yes. But as a verifier you do not know that $s=r+cx$ for some $r$ such that $t=g^r$ and some $x$ such that $g^x=y$. You only got some value $t$ and some value $s$ from $P$ that you know nothing about. If $V$ would trust $P$ enough to believe his statement that $s=r+cx$ for the above $r$ and $x$ then $V$ could immediately trust $P$ to know the discrete logarithm of $y$.
–
PerseidsAug 15 '13 at 17:39

2

@Perseid: If $s \neq rc + x = log_g(t)c + log_g(y)$, then $g^s \neq t^cy$ as well, presuming only that $t$ and $y$ belong to the same cyclic subgroup that is generated by $g$, which is something $V$ might test.
–
Henrick HellströmAug 15 '13 at 18:36

1

Great, that was the missing step :). So the argument goes like this: For $r=\log_g(t)$ and $x=\log_g(x)$ we have $g^s = t^c y \Rightarrow g^s=g^{rc} g^x \Rightarrow s=rc+x \Rightarrow sc^{-1}=(rc+x)c^{-1}=r+xc^{-1}$. Now suppose $V'$ (the original Schnorr protocol verifier) challenges $A$ with $c'$ then $A$ challenges $P$ with $c'^{-1}$ who returns $s$. $A$ now answers $V'$ with $sc^{-1}=r+xc^{-1}=r+xc'$ which will convince $V'$. Yes, that proof is also nice :D. Thanks for the discussion.
–
PerseidsAug 15 '13 at 18:58

You have to look at the response from the perspective of the verifier. This specific construction allows him/her to verify the $P$'s knowledge of $x$:

If $P$ could answer two different request $c_1,c_2$ in step 2) then we would have
$g^{s_1}=ty^{c_1}$ and $g^{s_2}=ty^{c_2}$. Dividing one equation by the other we get
$g^{s_1-s_2}=y^{c_1-c_2}$. Let $(c_1-c_2)^{-1}$ be the inverse of $c_1-c_2$ modulo $q$ (which exist because $c_1-c_2\neq 0$ as they are distinct) then $y=g^{(s_1-s_2)*(c_1-c_2)^{-1}}$. It follows $x=(s_1-s_2)\cdot(c_1-c_2)^{-1}$ is the discrete logarithm of $y$. Thus if $P$ can answer two request, he/she will know $x$. If $P$ could only answer one of them the probability of $V$ choosing this exact one are very small (depending on the size of $q$).

I haven't tried hard but I believe the alternatives you mention cannot prove the knowledge of $x$.

Thanks for you answer but my question was more related to your last sentence: I presume the alternatives I mention cannot prove the knowledge of $x$, but my question is why? What are they missing? Why is $s=r+cx$ proving knowledge of $x$ but $s=r+c+x$ (or $s=rc+x$) is not?
–
LRMAug 15 '13 at 15:01

1

Don't look at the structure of 3), look at the structure of 4). $V$ cannot know which structure is actually behind 3) and can only verify what he can see in step 4). Try to build a proof for the knowledge of $x$ out of the verification that $g^{s_1} = t g^{c_1} y$ and $g^{s_2} = t g^{c_2} y$ or $g^{s_1} = t^{c_1} y$ and $g^{s_1} = t^{c_1} y$. I don't see how this could work.
–
PerseidsAug 15 '13 at 15:06

1

Now I'm sure the first ($s=r+c+x$) cannot work, as $V$ can calculate $s_2$ out of $s_1$ as $s_2=s_1+c_2-c_1$. Thus being able to answer to two distinct challenges proofs nothing.
–
PerseidsAug 15 '13 at 15:11

Does this mean that whenever we run the (original) Schnorr protocol, it has to be runned at least twice, for $V$ to be sure that $P$ actually knows $x$?
–
LRMAug 16 '13 at 9:48

@LRM: No, it doesn't. It just means that it is essential that $P$ chooses $r$ uniformly at random each time the protocol is played out.
–
Henrick HellströmAug 16 '13 at 11:38